Protect Your Network from the SSL v3.0 “POODLE” Vulnerability

Protect Your Network from the SSL v3.0 “POODLE” Vulnerability)

A new vulnerability announced in October and identified in advisory CVE-2014-3566, involves the Secure Sockets Layer version 3 (SSL v3.0) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. ZyXEL Communications is aware of this POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability and offers solutions, as well as a diverse range of Security products, to help protect your network from this threat.

SSL is a frequently utilized transport mechanism for many software components. This POODLE vulnerability presents a weakness in the SSL v3.0 protocol that allows an attacker in a MitM (Man-in-the-Middle) context, to decipher the plain text content of an SSL v3.0 encrypted message.

Most likely to be affected by this threat are web browsers, mail servers, VPN servers, and web servers. As this is a critical vulnerability that can be exploited and can result in significant data theft, ZyXEL strongly recommends that you take appropriate actions, as described below, to secure your network from any potential security holes in applications using version 3 of the SSL protocol.

Solution

To address the issue, on the 30th of October 2014 ZyXEL has released new IDP signatures, versions 3.0.3.111 and 3.1.4.111, for its Next-Gen USG Series gateways and ZyWALL Series VPN firewalls. The IDP signatures will enable devices to activate the following protection and guard networks against the POODLE vulnerability by blocking all types of access using the SSL v3.0 protocol.

In the meantime, it is recommended that our customers immediately take steps to disable SSL v3.0 support for applications on both servers and clients. Many applications that use better encryption by default, implement SSL v3.0 support as a fallback option. This should be disabled to prevent malicious users from forcing SSL v3.0 communication in cases where both parties allow it as an acceptable method. End-users can follow the steps described in the following links to preven any mishaps.

Additionally, a new firmware patch will be released in the middle of November 2014 that deactivates the SSL v3.0 setting by factory default. This is to avoid data leakage from communication between client and server.